Centralized
IT Operations – The Disaster Ahead
Question:
What happens if we centralize and automate IT operations?
Answer: We get bigger failures, and those failures have greater consequences.
Question:
What happens if we don’t centralize and automate IT operations?
Answer: De-centralized systems are less susceptible to enterprise-wide
disruption.
We can see
this now. Sort of.
Ransomware
attacks. Equifax. The City of Atlanta. Colonial Pipeline. SolarWinds. Kaseya.
But wait –
how did this all start? Let’s take a look back to the origins of this mess.
In the
beginning...
Companies
began selling us on the idea of “the cloud” before we could actually spend our
money on it. With star-filled eyes, the cloud evangelists told us the rapture
was near, and heaven was being built. Soon and very soon! They painted a
beautiful picture of a bright and glorious future. Work from anywhere! Start
that report in the office, and finish it from a lounge chair on a sunny beach!
Are you out on the golf course, and want to know the latest sales figures? Just
look at your phone! Do you need stock alerts to know the best instant to buy
and sell? Real time information is beeping on your Blackberry right now! You’ll
make millions, while sitting in the stadium watching the kids play their
favorite sports. You’ll be a good parent, a good spouse, a good worker, loads
of free time, forever happy, and rich beyond your wildest imaginings.
“The cloud!
Can you see it?”
Of course,
we had questions. We had doubts. We raised objections.
Photo by Joshua
Sortino on Unsplash
Objection #1: “How can it be cheaper for me to pay you to
manage my servers? You’ve got to pay for real estate, electricity, data
circuits, and employees to maintain it all, just like I would. Plus, on top of
the normal expenses, you’ll be charging me a premium so you’ll make a profit. I
should just do it myself and not pay your profit margin.”
The cloud
evangelists replied: “It’ll be a
shared cost. Shared servers, shared air conditioning, shared real estate,
shared staff. You’ll only pay a fraction of what it would cost to pay
all of the overhead yourself.”
And we believed them.
Objection #2: “But you’ll have access to our data. We can’t
trust you not to peek. It’s not secure.”
The cloud
evangelists replied: “All your data
will be encrypted, and you’ll be the only one with the encryption keys.”
And we believed them.
Objection #3: “What if there’s a disaster in your data
center? An earthquake? A fire?”
The cloud
evangelists replied: “We’ll have
carrier grade equipment and best practices. We’ll make backups. We’ll store
copies of your data in multiple locations around the globe. Just like the
Titanic, it can never fail.”
And we believed them.
And everything they said was true, but
not the whole truth.
Cheaper? With metered pricing, no user in the company
knows the total monthly cost, until the invoice arrives.
Question: Who said, “Holy $%&! We’ve got to get our monthly cloud expense
under control!?”
Answer: Every business owner who has ever used the cloud.
Encrypted and
private? Encryption melts away in the presence
of authentication. Historically, authentication credentials are easier to
obtain than we like to think. And there’s this little matter of revelations
about the NSA by some guy named Ed. But it’s not just the USA; you can
extrapolate those revelations to every nation-state with an interest in data.
Backups in
multiple locations? Some of those
locations turned out to be in countries with lax security, no privacy laws, or
untrustworthy governments. To address these concerns, some countries have
passed laws to define where and how information about its citizens can be
stored, but auditing to verify compliance is difficult. A decree isn’t
equivalent to reality.
None of this information is new. It’s
all been said before. But large companies still embrace centralization of their
IT operations. Why?
Data is a drug.
Because data is like crack cocaine,
and the largest companies in the world are addicted to it. Today, corporations
don’t centralize their data because it’s cheaper or more secure. They
centralize their data to create new revenue streams by leveraging the power of
big data. They don’t centralize their data to save money and reduce costs to
you. They centralize their data so they can get more money from you. Oh, wait;
there’s one part of the previous sentence that needs to be corrected.
It’s not their
data. It’s your data.
Corporations are centralizing the
storage of your data so they can leverage the information to get you to buy
more – more stuff, more services, more audio and video content.
And it works. And that’s why they
tolerate the insecurity created by storing data for everyone in the company (or
in the world!) in one data center, instead of having each branch office
maintain and store customer information locally.
There’s a better
way. Consider insurance as an example.
The insurance industry used to be
decentralized, but they changed their operating model to the more risky
centralized model in order to profit from your information.
Consider your local auto insurance
agent. They’re not just auto insurance any more. They’re now a multi-lines
agent. They can sell you an auto policy, a homeowner’s policy, and life
insurance. Maybe even a Medicare supplement. They offer an economic incentive,
too. You get a discount when you bundle.
The local insurance agent used to have
a wall of filing cabinets full of accounts. They may still have some filing
cabinets, but they don’t fiddle with the paperwork so much anymore. The agent,
or their Customer Service Representative (CSR), enters all of that information
into the insurance company’s Database In The Cloud.
What happens when the insurance
company’s Database In The Cloud is breached by cybercriminals? You know the
answer. The cybercriminals have all of the sensitive information on millions of
people: the drivers, the homeowners, the children – all of it.
Photo credit: elements from the insurance website
Now, compare that worst-case scenario to
a criminal break-in at an insurance office before data centralization. How much
sensitive information would the criminal get? In order to answer that question
I did some research, and I discovered that the size of a local insurance agency
varies widely. (As a sidenote, I also learned that there are a lot of unhappy
insurance agents and ex-insurance agents posting in various insurance forums.
In case you’re wondering, insurance agents work hard for their money).
But back to our question: how big is a typical insurance office? There are big
offices and small offices, but for our
example we’ll use a multi-line insurance agent with 2,000 policies. This could
be a Farmers agent, or State Farm, and so on. How many households are
represented by those 2,000 policies? Well, it’s a multi-line insurance agency,
so some households have more than one of those 2,000 policies, so let’s say
we’re talking about 1,500 households. Next question: how many people are in
those 1,500 households? Some of the households are single people living in an
apartment. Some of the households are families of six living in a big house.
So, let’s say that the average household is composed of 4 people. Do the math
and that gives us an insurance office with detailed information on about 6,000 people.
Even if the local insurance agent
gives up filing cabinets and stores all of the customer information on a
computer connected to the Internet, we’re still looking at a much safer
scenario. A cybercriminal who breaches the agent’s office network will get the
information of about 6,000 people – not 6 million.
“But, Bob – there’s no way the little
insurance agent can have a network as secure as a sophisticated data center!”
I call B.S. on that one. Data centers
are getting breached right and left. Hey, even if ten percent of the insurance
agents used abc123 for their password, the decentralized data would still be
more secure than it is today. And another thing – the insurance company can set
standards for their agents’ networks, and enforce those standards through
monitoring at the district level. So, no. The centralization of your data isn’t
being done because it’s more secure. It’s being done because the collected data
is a source of additional revenue. Your security and privacy are taking a back
seat to corporations’ greed.
I’m not trying to pick on insurance
companies. That was just an example that you’re sure to be familiar with. All
the different types of companies that collect your data are doing everything
they can to profit from your data. They market to you directly, and they sell
your information to other marketers.
“But when they sell my information,
don’t they anonymize it?” It doesn’t matter. The have your information,
un-anonymized. And then they get breached. Your name, address, date of birth,
Social Security number, credit card information – and that one password you’ve
been using on every account since you were in the tenth grade – it’s all gone.
Because they centralized the data on millions of customers, stored it all in
one network, and that one network was compromised.
T-Mobile. Target. The Veteran’s
Administration. All of them could have architected a network with decentralized
data. But they centralized it, because it was for their benefit, not yours.
The big corporations claim, “By centralizing
your data, we’re keeping our costs down, and we pass the savings along to you.”
Translation: “We’re increasing unemployment by reducing our IT headcount.” And
they don’t do it to pass the savings along to you; they do it so they can
market to you, and get you to spend more. In other words, they’re reducing
their costs, and increasing your spending.
Time to
summarize.
What can we learn from the many
recent, large scale data breaches? I’m glad you asked! We learn that
centralization and automation of IT operations is an Achilles’ heel that brings
two problems:
1) Failures have greater consequences.
2) Increased unemployment.
What happens if we don’t centralize
and automate IT operations? I’m glad you asked!
1) De-centralized systems are less
susceptible to enterprise-wide disruption.
2) We have a larger pool of
entry-level IT talent from which to promote.
I’ll leave you
with this question:
Which costs less:
centralized/automated, or decentralized/human driven?
A lot of people thought this question
had an easy answer.
Does it?
--Bob
Young
FIFO Networks
Need
help with your network or cybersecurity? Contact FIFO Networks (link below).
Available by the hour, week, month, project... Let’s talk.
Wireless
– Telecom – VoIP – Networks – Cybersecurity – Remote or Onsite
.